CVE-2026-41645
Expression Injection in Nuclei Scanner
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectdiscovery | nuclei | From 3.0.0 (inc) to 3.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41645 is a vulnerability in the Nuclei vulnerability scanner's expression evaluation engine present in versions from 3.0.0 up to but not including 3.8.0. The issue arises because Nuclei processes templates in two passes: first replacing placeholders, then scanning the substituted output for DSL/helper expressions. This allows a malicious target server to inject and execute supported DSL expressions by including helper/function syntax in HTTP response data reused by multi-step templates.
If the command-line option -env-vars (or -ev) is explicitly enabled, environment variables from the host are merged into the template variable map. This can lead to exposure of host environment variables when malicious expressions like {{env_var_name}} are injected and reused in subsequent template requests. The option is off by default, so standard configurations are not affected by this information disclosure risk.
The vulnerability is caused by improper handling of template-authored expressions, where response-derived data can be reinterpreted as executable DSL expressions, leading to unintended code execution or information disclosure.
This issue was fixed in Nuclei version 3.8.0 by changing the evaluation logic to only evaluate expressions explicitly authored in the template before placeholder substitution, preventing execution of injected expressions from response data.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing a malicious target server to inject and execute DSL expressions within Nuclei templates, potentially leading to unintended code execution.
If the -env-vars / -ev option is enabled, it can expose sensitive host environment variables such as API keys, credentials, and tokens to the attacker, resulting in information disclosure.
Even without the -ev option enabled, injected expressions may execute helper functions causing unexpected behavior, though without meaningful security impact.
The vulnerability affects CLI users running multi-step templates against untrusted or attacker-controlled targets with -ev enabled, as well as SDK users integrating Nuclei with environment variable exposure enabled in untrusted environments.
The CVSS v3.1 base score is 5.3, indicating a medium severity with network attack vector, high attack complexity, no privileges required, user interaction required, and high confidentiality impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-41645 in Nuclei, you should upgrade to version 3.8.0 or later, where the issue has been fixed by changing the expression evaluation logic to only evaluate expressions explicitly authored in templates, preventing injection from response-derived data.
If upgrading immediately is not possible, you should disable the -env-vars (or -ev) option when scanning untrusted or attacker-controlled targets, as this option enables environment variable exposure and is off by default.
Avoid running multi-step templates against untrusted targets with the -ev option enabled to prevent malicious injection and execution of DSL expressions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Nuclei versions 3.0.0 to before 3.8.0 allows a malicious target server to inject and execute DSL expressions that can expose host environment variables if the -env-vars / -ev option is explicitly enabled. This exposure can lead to disclosure of sensitive information such as API keys, credentials, and tokens.
Such unauthorized disclosure of sensitive environment variables could potentially violate data protection regulations and standards like GDPR and HIPAA, which require safeguarding of sensitive and personal data. If environment variables contain personal data or credentials related to protected health information or personal identifiers, their exposure could lead to non-compliance with these regulations.
However, the risk is mitigated by the fact that the -env-vars / -ev option is off by default, so standard configurations are not affected by the information disclosure risk. Users are strongly advised to upgrade to version 3.8.0 where this issue is fixed, or to disable the -env-vars option when scanning untrusted targets.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect the presence of the CVE-2026-41645 vulnerability in your environment, you should first identify if you are running Nuclei versions from 3.0.0 up to but not including 3.8.0, as these versions contain the vulnerable expression evaluation engine.
Since the vulnerability involves the evaluation of injected DSL expressions in HTTP response data reused by multi-step templates, detection can focus on monitoring Nuclei scan configurations and network traffic for suspicious template usage or unexpected environment variable exposure.
Specifically, check if the Nuclei scanner is run with the `-env-vars` or `-ev` option enabled, which is off by default but when enabled can expose host environment variables through maliciously crafted responses.
For practical detection, you can run commands to check the installed Nuclei version and scan command options, for example:
- Check Nuclei version: `nuclei -version`
- Check running processes or scripts for usage of `-env-vars` or `-ev` flags, e.g., `ps aux | grep nuclei` or review automation scripts.
Additionally, to detect if a target server is attempting to exploit this vulnerability, monitor HTTP responses for injected DSL expressions such as `{{env_var_name}}` or other helper syntax patterns like `{{md5("test")}}` in response bodies or extractor outputs.
You can use network inspection tools or simple command-line utilities to search for these patterns in HTTP responses, for example:
- Using `curl` and `grep` to inspect response content for DSL expressions: `curl -s http://target | grep -E '\{\{.*\}\}'`
- Using packet capture tools like `tcpdump` or `Wireshark` to filter HTTP traffic and inspect for suspicious DSL expression patterns.
Finally, the best detection and mitigation is to upgrade Nuclei to version 3.8.0 or later, where the vulnerability is fixed by restricting expression evaluation to only template-authored expressions.